IETF Logo Mail Archive

Re: [sipcore] No WebSocket level authentication scenario [was RE: I-D Action: draft-ietf-sipcore-sip-websocket-09.txt]

Paul Kyzivat <pkyzivat@alum.mit.edu> Thu, 20 June 2013 16:07 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66CDF21F9DA2 for <sipcore@ietfa.amsl.com>; Thu, 20 Jun 2013 09:07:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.331
X-Spam-Level:
X-Spam-Status: No, score=-0.331 tagged_above=-999 required=5 tests=[AWL=0.106, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fxSPVwfNHRBm for <sipcore@ietfa.amsl.com>; Thu, 20 Jun 2013 09:07:18 -0700 (PDT)
Received: from qmta05.westchester.pa.mail.comcast.net (qmta05.westchester.pa.mail.comcast.net [IPv6:2001:558:fe14:43:76:96:62:48]) by ietfa.amsl.com (Postfix) with ESMTP id 9681721F9D9F for <sipcore@ietf.org>; Thu, 20 Jun 2013 09:07:18 -0700 (PDT)
Received: from omta07.westchester.pa.mail.comcast.net ([76.96.62.59]) by qmta05.westchester.pa.mail.comcast.net with comcast id qbjf1l0031GhbT855g7H7i; Thu, 20 Jun 2013 16:07:17 +0000
Received: from Paul-Kyzivats-MacBook-Pro.local ([50.138.229.164]) by omta07.westchester.pa.mail.comcast.net with comcast id qg7H1l00c3ZTu2S3Tg7HBv; Thu, 20 Jun 2013 16:07:17 +0000
Message-ID: <51C328B6.20506@alum.mit.edu>
Date: Thu, 20 Jun 2013 12:07:18 -0400
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: sipcore@ietf.org
References: <20130613011708.18316.28106.idtracker@ietfa.amsl.com> <CALiegfkg-KU1bB01eLXuksZV1ehBY92uf+0+F3fQuha-WnOS1A@mail.gmail.com> <013c01ce6c4e$29e33c90$7da9b5b0$@co.in> <CALiegfnQ8=R1PRbHwPSDjJ=jH+bBeiNqjU12yr8KmJvHWQg1Mg@mail.gmail.com> <12FDD6C8-F172-4B3B-A83A-211CF553DA1A@ag-projects.com> <CALiegfneR2MwFEgGnZVtNJUXbDv0Mw0uWK2RYOGi-euWvYpR1g@mail.gmail.com> <949EF20990823C4C85C18D59AA11AD8B055194@FR712WXCHMBA10.zeu.alcatel-lucent.com>
In-Reply-To: <949EF20990823C4C85C18D59AA11AD8B055194@FR712WXCHMBA10.zeu.alcatel-lucent.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1371744437; bh=/MOlJ9lS/8vzWr5Mwx8C2kWfy6On0qAxMYyQR8SY2C8=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=gsZOpmrenlLy7TnmGeUVYv9VfgIWfVXmkvAEt4cq2EG0N0wR8FwELSruM99c7x8yd cpZZLAHXY2rxLpTWB8gObSlQVxuhPyHIl5Qcetppp3mRdSzJD0VY5GjipjP6t3477Y tbOaBMn2Ot4sMox6gLcTgB02HU4EyQm68wPeMfd1imCmOxNOvUSr2bq6qz6yzJWJCD pl6hhDiU4DoxIXUKMmkVCs2ZdX5k6feCw5N0RpGi6Oq/WKkhL/FAzHf5NBcto3xBgN 1RoO1zi16xdGklBOFydJWvj6BKoyJ9yQXnxkFmc65N6W8uVtmr7WYfyMWQXFcVf8KE /b5c5j/I02k2w==
Subject: Re: [sipcore] No WebSocket level authentication scenario [was RE: I-D Action: draft-ietf-sipcore-sip-websocket-09.txt]
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jun 2013 16:07:23 -0000

On 6/19/13 8:06 AM, DRAGE, Keith (Keith) wrote:
> I would not use RFC 3261 as justification for what should, or should not, be said about authentication. The current RFC 3261 would probably fail a security directorate review if it was attempted to be approved as an RFC now.
>
> (I'd also point out that for any security consideration of RFC 3261, one should also read RFC 5630.)
>
> So I would suggest you conduct an independent security evaluation of what is needed.

I think we are in the midst of one with Stephen Farrell.

> For the use case you give:
>
>> A website (a shop) offers a widget in which the visitor can click and
>> made a SIP call (+WebRTC) that will end in the callcenter of the
>> company, answered by an agent that will inform the user about the
>> product he is interested in. Why do we require WWW or SIP
>> authentication in this scenario?
>
> I'd suggest that the issue to be discussed is what happens when the action described results in a transaction of some form to a third party (in the SIP case a call). The visitor then includes information that will be relayed to the third party. Who does the third party rely on to ensure that information is authentically given by the visitor.

I'm inclined to support Iñaki, that authentication of any sort shouldn't 
be Mandatory to *Use*.  Individual applications can decide when they 
have uses that require authentication and when they don't.

	Thanks,
	Paul

> Regards
>
> Keith
>
>
>
>> -----Original Message-----
>> From: sipcore-bounces@ietf.org [mailto:sipcore-bounces@ietf.org] On Behalf
>> Of Iñaki Baz Castillo
>> Sent: 19 June 2013 12:32
>> To: Saúl Ibarra Corretgé
>> Cc: SIPCORE (Session Initiation Protocol Core) WG; Parthasarathi R
>> Subject: Re: [sipcore] No WebSocket level authentication scenario [was RE:
>> I-D Action: draft-ietf-sipcore-sip-websocket-09.txt]
>>
>> 2013/6/19 Saúl Ibarra Corretgé <saul@ag-projects.com>:
>>> Why is authentication a MUST? Lets assume that I'm using UDP and my
>> proxy establishes a WS connection with a foreign domain's proxy because of
>> NAPTR and my proxy supports acting as a WS client. It obviously won't be
>> able to authenticate. If this scenario supposed to be covered?
>>
>> Honestly I agree. I cannot find in RFC 3261 (or other RFCs) a
>> normative statement mandating authentication, regardless the request
>> comes from a UA.
>>
>> In another thread we are discussing about MTI authentication
>> mechanisms that must be implemented by SIP WS Clients and Servers.
>> IMHO that is correct, but mandating SIP authentication or WWW
>> authentication for ALL the scenarios seem innapropriate for me. I come
>> back to an use case:
>>
>> A website (a shop) offers a widget in which the visitor can click and
>> made a SIP call (+WebRTC) that will end in the callcenter of the
>> company, answered by an agent that will inform the user about the
>> product he is interested in. Why do we require WWW or SIP
>> authentication in this scenario?
>>
>> If WG agrees with this, I will remove the normative statements in
>> "Authentication" section, and instead address the MTI authentication
>> mechanisms.
>>
>>
>> --
>> Iñaki Baz Castillo
>> <ibc@aliax.net>
>> _______________________________________________
>> sipcore mailing list
>> sipcore@ietf.org
>> https://www.ietf.org/mailman/listinfo/sipcore
> _______________________________________________
> sipcore mailing list
> sipcore@ietf.org
> https://www.ietf.org/mailman/listinfo/sipcore
>

v2.23.0 | Report a Bug | By Email